GDPR Requirements for Consent: What You Need to Know

Michelle_Miles3
Level 9 - Champion Alumni
Level 9 - Champion Alumni

For those of you who missed our recent webinar, “Fearless Marketing Strategies for GDPR World,” you missed a good discussion. The most popular topic of the day was “consent.” We had many questions regarding GDPR compliance requirements—everything from permission to retain personal data, to what to do if you are unsure if consent exists or are missing the documentation to back it up, as well as how GDPR consent compares to CASL. All very valid questions!   As for the answers:

GDPR Documentation for your Database

We’ve covered the topic before, but it’s worth another mention—auditing your database for GDPR compliance may be painstaking and time-consuming but it is also highly recommended; appropriate documentation is just as necessary as capturing consent. To verify consent, all records in your database should have:

  • opt-in date and timestamp
  • opt-in source
  • opt-in IP address (if available)

For records that are questionable, better safe than in doubt is the rule of thumb. Run a whitelisting (verification) campaign now, so there’s no question regarding if, how or when consent was obtained. No one wants to be fined €20 million or stop European marketing operations due to records you thought were compliant but are not.

And just a reminder, track BOTH data consent and email consent as one does not guarantee the other. Having said that, email consent can constitute data consent, if appropriate privacy policies are acknowledged.

Bundling Consent: What to Do and What to Avoid

When using content (such as a white paper) to attract interest, per GDPR, opting-in to marketing communications cannot be assumed or bundled with another action. You may however, include it as a separate action on the same form if your opt-in checkbox is unchecked and not required to download the promoted content asset. And always ALWAYS link your forms to your privacy policy!

GDPR vs. CASL

As we talk more and more about consent, we’re frequently asked another question: does CASL (Canadian Anti-Spam Law) compliance mean you are also GDPR compliant? Aren’t the two processes for capturing consent very similar? In a word, yes and no. (OK, two words) The opt-in process is similar, as both consent intake process should include an unchecked checkbox on a form and capturing date/timestamp, opt-in source and opt-in IP, and a link to your privacy policy. If you’re already using this methodology for CASL, you can extend it to your GDPR operations.

However, while both regulations are permission-based, that’s where the similarity ends. We like to think of GDPR as “CASL on steroids”—GDPR extends much further than CASL and with stiffer penalties. GDPR goes beyond permission to email, extending into cookies, data processing and other elements that are not governed under CASL.

See how the two legislations compare on the Perkuto blog.

9142
19
19 Comments